PMASA-2013-2

Announcement-ID: PMASA-2013-2

Date: 2013-04-24

Summary

Remote code execution via preg_replace().

Description

In some PHP versions, the preg_replace() function can be tricked into executing arbitrary PHP code on the server. This is done by passing a crafted argument as the regular expression, containing a null byte.
phpMyAdmin does not correctly sanitize an argument passed to preg_replace() when using the "Replace table prefix" feature, opening the way to this vulnerability.

Severity

We consider this vulnerability to be serious.

Mitigation factor

This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users to access the required form.

Affected Versions

Versions 3.5.x and 4.0.0 (before -rc3) are affected.

Solution

For 3.5.x, upgrade to phpMyAdmin 3.5.8 or newer; for 4.0.x, upgrade to 4.0.0-rc3 or newer. You can also apply the patches listed below.